| 5251 |
2021-02-18 17:45
|
DEOappfYsSq5C13.exe f02bd49ed33a2243d71bb1bbe592f39b
VirusTotal Malware Buffer PE Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
3.0 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5252 |
2021-02-18 17:46
|
cmd2.exe b32efdfbbda064434979296814e8875f
FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS |
5
http://www.xn--oi2b190cymc.com/bw82/?uRipW=7nGxC&FTChTb7=u3mIEO7S2jpcCNzGap3V7GnWoZ6byXdDGQc9TZtHwlHE0/S/m+Ek+z3BS3DZiW4dRqN2gVn1 - rule_id: 178
http://www.xn--oi2b190cymc.com/bw82/ - rule_id: 178
http://www.exlineinsurance.com/bw82/?uRipW=7nGxC&FTChTb7=BmIsBEloLc/PpxxxkqeO/+wp1eRqaF5UDtwx0wOakOw3DMvjZvU2EPbm5c7g7p6k7NfDBGcL - rule_id: 179
http://www.gmobilet.com/bw82/
http://www.exlineinsurance.com/bw82/ - rule_id: 179
|
11
www.exlineinsurance.com(182.50.132.242) - mailcious
www.xn--oi2b190cymc.com(112.175.185.27) - mailcious
www.climaxnovels.com(34.102.136.180) - mailcious
www.ramjamdee.com(34.102.136.180) - mailcious
www.gmobilet.com(104.160.174.190) - mailcious
www.twistedtailgatesweeps1.com(184.168.131.241) - mailcious
34.102.136.180 - mailcious
112.175.185.27 - mailcious
184.168.131.241 - mailcious
182.50.132.242 - mailcious
104.160.174.190
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
4
http://www.xn--oi2b190cymc.com/bw82/
http://www.xn--oi2b190cymc.com/bw82/
http://www.exlineinsurance.com/bw82/
http://www.exlineinsurance.com/bw82/
|
10.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5253 |
2021-02-18 17:59
|
document.doc 4261ec0a9edda9561c4dda5d8da7f98d
FormBook Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
2
http://www.rizrvd.com/bw82/?CnaDl=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&DxlLi=2dmX - rule_id: 170
http://www.rizrvd.com/bw82/ - rule_id: 170
|
5
www.rizrvd.com(34.102.136.180) - mailcious
www.illfingers.com(162.241.217.138) - mailcious
162.241.217.138 - mailcious
34.102.136.180 - mailcious
65.0.55.192 - mailcious
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.rizrvd.com/bw82/
http://www.rizrvd.com/bw82/
|
5.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5254 |
2021-02-18 17:59
|
dxmanx.exe e1fad87e847735c141f999d5b024080d
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
2
http://185.239.242.107/base/E7F1A17AB07A675B9B97A676DDD26130.html - rule_id: 263
http://185.239.242.107/base/5D6C633E69FA50F58B40E7ED6CC7A014.html - rule_id: 263
|
1
185.239.242.107 - mailcious
|
|
2
http://185.239.242.107/base/
http://185.239.242.107/base/
|
12.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5255 |
2021-02-18 18:10
|
EWC.exe d9a30d4715edbd7428d377872b0f49a0
VirusTotal Malware RWX flags setting unpack itself DNS |
|
|
|
|
2.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5256 |
2021-02-18 18:10
|
edi.js 5f82fde65dfd751c2b602541e36ae6d7
Browser Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI heapspray Creates shortcut ICMP traffic unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check installed browsers check Windows Java Browser Email ComputerName DNS Cryptographic key DDNS keylogger |
|
6
augustair.com(206.130.99.140) - malware
google.com(172.217.175.14)
jimmy101.myq-see.com(162.251.123.194) - mailcious
162.251.123.194
206.130.99.140 - malware
216.58.199.14 - mailcious
|
3
ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
ET INFO Observed DNS Query to .myq-see .com DDNS Domain
ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt
|
|
21.4 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5257 |
2021-02-18 18:32
|
higLyd1z5fHwrWa.exe 9b4d73ebe99774a232e29b43ee1e96d4
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName |
|
|
|
|
10.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5258 |
2021-02-18 18:32
|
huaa.msi 9155b960719fa978d1a26c54a5897cdd
VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check ComputerName DNS |
|
|
|
|
2.8 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5259 |
2021-02-18 18:37
|
huaa.pdf.exe 879951cddad7add207ee8ed634e4247a
VirusTotal Malware Check memory RWX flags setting unpack itself |
|
|
|
|
1.4 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5260 |
2021-02-18 18:37
|
ICcVhvdlUe6FdY2.exe c5593207f9e831b1727fcf584f229a73
VirusTotal Malware Buffer PE Check memory Checks debugger buffers extracted unpack itself DNS |
|
|
|
|
3.6 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5261 |
2021-02-18 18:40
|
jooo.exe 19f3a1669176c3126ae4f89832ea265e
VirusTotal Malware Buffer PE Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
3.0 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5262 |
2021-02-18 18:41
|
M9hXhq8tCvts4NK.exe 6b7415c987b1bc9ded11a5af9ddbf403
VirusTotal Malware Buffer PE Check memory Checks debugger buffers extracted unpack itself DNS |
|
|
|
|
3.6 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5263 |
2021-02-18 18:44
|
MLU.exe 30463b0e753ea65c33791f701f68bf9f
VirusTotal Malware RWX flags setting unpack itself DNS |
|
|
|
|
2.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5264 |
2021-02-18 18:44
|
maxs.exe e461c46a2ae8137c347fcb895c6bddf0
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
2
http://185.239.242.107/base/F877518494A88142C918652019EF505B.html - rule_id: 263
https://api.ipify.org/
|
3
api.ipify.org(23.21.126.66)
23.21.126.66
185.239.242.107 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
http://185.239.242.107/base/
|
14.6 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5265 |
2021-02-18 21:23
|
hello.exe f146529e51a359d892943fe6da8cbbea
VirusTotal Malware WriteConsoleW |
|
|
|
|
1.4 |
|
21 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|